Question for the computer geek IT people regarding VPN

**Pacman** · 02-23-2006, 12:25 AM

I have a question for you guys.

I have shaw high speed internet, and have the internet connection going into a Linksys router.

There are 2 computers plugged into this router:

Computer #1 is my personal desktop machine that is always plugged into the internet.

Computer #2 is a work laptop they supplied me. When I want to use the work laptop online, I have to do it via a VPN system where I need to punch in a number that keeps changing on a little black keyfob. The brand of the keyfob is "RSA Secure ID". Once I have logged in with the VPN number, I'm on the internal company intranet system. The company IT people are able to see what I'm doing on the laptop at any time and can also provide tech support by taking control of the machine.

My question is, If I'm online via VPN on my work laptop....do the IT people at my company have access to the files or what I"m doing on my home personal computer which is also plugged into the router.

THanks
Pacman

**rage2** · 02-23-2006, 12:44 AM

Probably not. Here's what could happen though.... if your computer is on their domain, their admins would have full access to your laptop. From there they can look at all your files on your laptop. If your laptop has terminal services installed, they can log in secretly into your laptop. They can then find your desktop, and if simple file sharing is enabled (meaning Guest account is opened up) then they can access stuff on there. They won't be able to access the administrative shares on your desktop (c$, d$, etc) unless that's on the domain as well. Or they have a local administrator account on that desktop.

**rage2** · 02-23-2006, 12:48 AM

btw, those RSA secure ID's are cool. A bit overkill IMO, unless you work for a bank, or government. Those are the only places I've been issued those rotating password keychain thingys.

**sputnik** · 02-23-2006, 08:37 AM

Originally posted by rage2
btw, those RSA secure ID's are cool. A bit overkill IMO, unless you work for a bank, or government. Those are the only places I've been issued those rotating password keychain thingys.

We use them for our VPN and Webmail systems. They are a serious pain in the ass.

**Xtrema** · 02-23-2006, 09:05 AM

Originally posted by sputnik

We use them for our VPN and Webmail systems. They are a serious pain in the ass.

But you'll have to steal the token and know the password to even attempt a login. Very secure.

**Pacman** · 02-23-2006, 09:27 AM

THanks for the replies. I just assume that the IT dept doesn't have enough time to go hacking into my personal machine.

I agree, those Secure ID cards are a big hassle to use sometimes...especially if you forget yours at home and you are out of town for work.

**w3apon** · 02-23-2006, 10:24 AM

Usually Split-tunnelling is also disabled meaning while you are on your companies VPN network, you can't get access to your local network.

**benyl** · 02-23-2006, 10:31 AM

That was what I was going to say.

If your companies security settings are set up correctly through the VPN, you should have a tunnel straight into the corporate network. So when you surf the net, you have to use the proxy on the corp. network. It basically has nothing to do with your home network and can't access anything outside the corp network except through proxies to the outside world.

Unless you are seeding torrents, if you are really paranoid, just shut down your home pc.

Those RSA things are cool, but a big pain in the ass... especially when you forget them at home when on a road trip... lol

**Pacman** · 02-23-2006, 10:42 AM

Originally posted by benyl
That was what I was going to say.

If your companies security settings are set up correctly through the VPN, you should have a tunnel straight into the corporate network. So when you surf the net, you have to use the proxy on the corp. network. It basically has nothing to do with your home network and can't access anything outside the corp network except through proxies to the outside world.

Unless you are seeding torrents, if you are really paranoid, just shut down your home pc.

Those RSA things are cool, but a big pain in the ass... especially when you forget them at home when on a road trip... lol

Ok this kinda makes sense to me. I have a limited knowledge when it comes to computer networking.

I have noticed that if I'm playing streaming music on my WORK LAPTOP, and then I decide to log on to the VPN system....the streaming music stops as the system seems to disconnect it. I then have to wait for the VPN to login, go back to the streaming music website and start the connection again.

I assume the IT department has better things to do than see what I'm doing on my home machine.....

**Ariakas** · 02-23-2006, 01:27 PM

RSA is quite common in the Oil and Gas field, as you can imagine, lots of remote users.

**rage2** · 02-23-2006, 01:42 PM

Originally posted by Pacman
I have noticed that if I'm playing streaming music on my WORK LAPTOP, and then I decide to log on to the VPN system....the streaming music stops as the system seems to disconnect it. I then have to wait for the VPN to login, go back to the streaming music website and start the connection again.

So will MSN, ICQ, etc. But that doesn't mean much because as soon as the VPN connects, all existing connections get dropped and must reconnect regardless of which gateway you use.

Let's go a little further and talk a bit about VPN network structure and design. Some companies like to route all traffic (including internet) thru them. That's the default Microsoft PPTP VPN setting, use the remote's gateway. The premise of this is that all internet access can be filtered through the company's network to filter from viruses and stuff. But that makes no sense, unless the laptop is ALWAYS connected to the VPN. For all we know, the laptop user is already infected when not connected to the VPN, and will attempt to spread to servers already. In which case, using the company's gateway for all traffic is just a waste of bandwidth. A network request goes from:

you --> internet --> your company --> internet --> server

and reverse order when you go back. Another reason companies do it is to make sure you're not sending information out to competitors. But again, that makes no sense. You can download the information, save it to your computer, disconnect off the VPN and they'll never know.

When you uncheck the use remote gateway box, you basically just use the VPN for accessing resources that needs to go thru the VPN, or anything that connects to the company's subnet. Company servers, company emails, etc. For all other stuff, you go through your own internet, doesn't cost bandwidth or latency. For most viruses and trojans, it uses the primary network connection. Wired and wireless are up higher than than a dialup connection, so it never even tries to access your VPN. Kind of a ghetto firewall in a sense. In any case, when opening up remote users for VPN, there should be some sort of protection against intrusions at the VPN point, because you now have machines that are beyond the control of the internal IT guys.

Of course, if your company network has more than 1 subnet and has routers, there's gotta be routing rules in place so you can live without the "use remote gateway" setting. Not terribly hard to setup.

Here's a good link I just found on google that talks about the setting in a real environment at U of Central Florida. Even talks about pros and cons that I described.

http://www.noc.ucf.edu/VPN/default_gw.htm

Good network design chat

.

Thread: Question for the computer geek IT people regarding VPN

Thread Tools

Search Thread

Question for the computer geek IT people regarding VPN

Similar Threads

For the computer/car geek that must have it all...

FS: Linksys WRV54G Wireless G VPN router

FS: Linksys Wireless-G VPN Router

Geek Top 11 Lists

Posting Permissions